Skip to content

FPD (Full Path Disclosure) of TMPDIR directory in output

a FPD (Full Path Disclosure) issue exists which leak the path of TMPDIR, for example:

by comparing apk files that result in apktool to fail, see issue #125 which show usage of TMPDIR as /tmp/

in try.diffoscope.org it's /srv/storage.try.diffoscope.org/ as can be seen from:

https://try.diffoscope.org/zrdzxzeqhypg.html

a/mbmb5.lumixextendedcontrolapp_12.apk vs.
b/mbmb5.lumixextendedcontrolapp_11.apk
Command `apktool d -k -m -o /srv/storage.try.diffoscope.org/zrdzxzeqhypg/diffoscope_auiigw86/tmp8yum6_u9/mbmb5.lumixextendedcontrolapp_12.apk a/mbmb5.lumixextendedcontrolapp_12.apk` exited with 1. Output:
<none>

user might have TMPDIR point to home directory such as /home/username/tmp which will leak the username part.

fix: change the real TMPDIR value to {TMPDIR} or generic /tmp/ before printing it in output.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information